Error when trying to connect to VPN on startup

Question

This question has been updated. Please see the tail end of this post.

I am trying to set up my Mythbuntu computer to connect to a VPN service when it starts up. My hope is that the Mythbuntu computer will always use the VPN for all of its internet connections.

I found a script that will supposedly do that, and it looks like this:

#!/bin/bash
while [ "true" ]
do
    VPNCON=$(nmcli con status)
    if [[ $VPNCON != "*MyVPNConnectionName*" ]]; then
        echo "Disconnected, trying to reconnect..."
        (sleep 1s && nmcli con up uuid df648abc-d8f7-4ce4-bdd6-3e12cdf0f494)
    else
        echo "Already connected !"
    fi
    sleep 30
done

When I run this script on my machine, I get the following error:

$ /home/mythbuntu/VPN_start.sh
Disconnected, trying to reconnect...
Error: Connection activation failed: Not authorized to control networking.

I thought it might be a permission issue, so I tried running it with sudo:

$ sudo /home/mythbuntu/VPN_start.sh
[sudo] password for mythbuntu: 
Disconnected, trying to reconnect...
Active connection state: unknown
Active connection path: /org/freedesktop/NetworkManager/ActiveConnection/1
state: VPN connecting (need authentication) (2)
Error: Connection activation failed: no valid VPN secrets.

How do I get this script to run without errors so that I can run it at boot or login so that I can make sure I'm always connecting by VPN.

If anyone has a better script or method, that would also suffice as an answer.

---

These are the contents of my /etc/NetworkManager/system-connections/MyVPN file (some details replaced with x characters for privacy):

[connection]
id=MyVPN
uuid=xxxxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxxxxx
type=vpn

[vpn]
service-type=org.xxxxxxxxxxxxxx.xxxxxxxxxxxxxxx.openvpn
username=xxxxxxxxxx
comp-lzo=yes
remote=us-xxxxxx.xxxxxxx.com
connection-type=password
password-flags=0
ca=/etc/openvpn/xxxxxxx.crt

[vpn-secrets]
password=xxxxxxxxxxx

[ipv4]
method=auto
never-default=true

Also, I just want to add that when I turn on the VPN using the applet in top right corner the Xfce panel, it connects no problem. So the issue doesn't seem to me to be one of incorrect authorization, but of the configuration when trying to do this from the command line.

Update:

I'm not entirely sure what has changed - possibly something in the upgrade to 12.10 - but I can now start my VPN service from the command line. However, this command only works once when I very first start the computer, and also it needs to be run with sudo.

mythbuntu@mythbuntu:~$ nmcli con up id "Private Internet Access SSL"
Error: Connection activation failed: Not authorized to control networking.
mythbuntu@mythbuntu:~$ sudo nmcli con up id "Private Internet Access SSL"
[sudo] password for mythbuntu: 
mythbuntu@mythbuntu:~$

Since I need to use sudo to run this, I can't run it automatically at startup.

How do I get it so that I can start my VPN without super user permissions?

Answer 1

The problem seems to be, that your password in keyring is not accessible.

Source

Solution mentioned there is to open file /etc/NetworkManager/system-connections/ConnectionName and set the

password-flags=0

and add the below lines to the file

 [vpn-secrets]
 password=YourPassword

Then restart network manager to pick up the change:

 sudo restart network-manager

For more info refer the source

Answer 2

To start VPN automatically at startup

Assuming you have your credentials files working, you should be able to use a dispatcher.d script like you originally had to start your VPN. I've modified your script a bit to get it working with 2 connections (Wireless router at home, and wired connection at work). The reason for this is that I want it to start the VPN if it's not started when either of my required internet connections are alive. In my example, I've configured them with default names, but you should change them to match your own names.

Put this in the file /etc/NetworkManager/dispatcher.d/vpn-up, and make executable with chmod +x

#! /bin/bash

REQUIRED_CONNECTION1_NAME="linksys"
REQUIRED_CONNECTION2_NAME="Wired connection 1"
VPN_CONNECTION_NAME="My VPN"


activ_con=$(nmcli con status | grep "${REQUIRED_CONNECTION1_NAME}\|${REQUIRED_CONNECTION2_NAME}")
activ_vpn=$(nmcli con status | grep "${VPN_CONNECTION_NAME}")
if [ "${activ_con}" -a ! "${activ_vpn}" ];
then
    nmcli con up id "${VPN_CONNECTION_NAME}"
fi

To configure client certificates in NetworkManager

If you are using a client cert with password to authenticate to your VPN, it is a bit undocumented.

After browsing through the NetworkManager 0.9 settings specification, I was unable to determine how to specify a vpn cert pass in the config file. I opened up seahorse and found my 'VPN secret' (certificate password).

It was listed as something like 'VPN cert-pass secret for My VPN/org.freedesktop.NetworkManager.openvpn/vpn'. Clicking on the details tab gave me a clue for the setting-key name:

setting-name: vpn
setting-key: cert-pass
connection-uuid: 0badcafe-f00d-dead-beef-feedfacef00d

To start a VPN automatically as root on Ubuntu 12.04 (Precise Pangolin) using NetworkManager 0.9.4.0:

Open /etc/NetworkManager/system-connections/My VPN and add the cert-pass VPN secret so the file looks like:

[connection]
id=My VPN
uuid=0badcafe-f00d-dead-beef-feedfacef00d
type=vpn
timestamp=1234567890

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
key=/home/<your-user>/path/to/certs/your.secure.key
ca=/home/<your-user>/path/to/certs/your.vpnca.crt
connection-type=tls
cert=/home/<your-user>/path/to/certs/your.crt
remote=your.vpn-server.com
cert-pass-flags=0
[vpn-secrets]
cert-pass=your-vpn-pass

[ipv4]
method=auto
never-default=true